OKTA - Multi-Factor Authentication with Passport

Samuli Siltanen -

Overview

Login to OKTA managed apps with Passport or eID as a Multi-Factor Authentication token.

Incorporating Passport and eID as Authenticators to your OKTA Access Policy users to prove their identity even when they've lost their normal multi-factor authenticator or haven't yet enrolled a one.

Installation

Overview

Two-way configuration is required:

  1. OKTA --oidc--> YumiPass: YumiPass as an external claims provider to OKTA.
  2. YumiPass –(api)--> OKTA: YumiPass to authenticate selected Passport claims match to those on the logging in user account.

Alternatively, to avoid the the second step, OKTA could be configured with claims a matching expression, to verify selected Passport claims match to those on the OKTA accounts. However, this may be dependant of used OKTA license and its advised to contact OKTA support.

Step 1 (OKTA --oidc--> YumiPass)

  1. Sign in to your YumiPass integrations account.
    1. Choose Workforce App > OKTA.
    2. Make a note of the displayed Client ID, Secret, Issuer URL, Authorization URL, Token URL and JWKS URL. You will need the values in the following OKTA configuration steps.
  2. Sign in to your OKTA Admin Console, then:
    1. Go to Security > Identity Providers.
    2. Choose Add Identity Provider > OpenID Connect IdP > Next
    3. In the Configure OpenID Connect IdP dialog, set:
      Name: For example “ymp”
      IdP Usage: Choose Factor Only
      Scopes      : Leave the defaults
      Client ID: Paste the Client ID from step 1.b
      Authentication type: Choose Client secret.
      Client Secret: paste the Secret from step 1.b
    4. In the endpoints section:
      Issuer: Paste the Issuer URL from step 1.b
      Authorization endpoint: Paste the Authorization URL from step 1.b
      Token endpoint: Paste the Token URL from step 1.b
      JWKS endpoint: Paste the JWKS URL from step 1.b
    5. Click Finish.
    6. In Identity Providers list, on the new ymp identity provider, select Configure Identity Provider under Actions drop-down, then make a note of the Redirect URI in the Summary box on the top.
    7. Go to Security > Authenticators > Add authenticator > IdP Authenticator.
    8. Add IdP Authenticator dialogue opens. Choose the ymp Identity Provider.

Step 2 (YumiPass --api--> OKTA)

  1. In to your OKTA Admin Console:
    1. Go to Security > API > Tokens > Create Token (note! the token will be generated with permissions of the logged in admin account)
    2. Make a note of the generated Token.
  2. In your YumiPass console:
    1. Paste Redirect URI you obtained step 2.f in previous chapter.
    2. To Claims transformation api key paste the Token you obtained in 1.b.
    3. Click Create App to finish the installation.

To go live

Follow standard OKTA documentation to add YumiPass "authenticator" to one or more of your OKTA Access Policies.

Security Considerations

Go to your created OKTA Workforce app registration in YumiPass console and adjust the authentication claims as needed.